Install and Configure OpenLDAP + phpLDAPadmin


Environment

CentOS-6.3-x86_64-minimal [Download]

I used nano as the text editor, but you can just as easily use vi. To install nano, type yum install -y nano.

I used Putty [Download] as the SSH client to connect remotely to my CentOS install.

Typography

Characters in code can sometimes be ambiguous. To make it clear which characters are what, I have listed the characters below for comparison.

1 (one) L (UC el) l (lc el)    0 (zero) O (UC ow) o (lc ow)    8 (eight) B (UC be) b (lc be)    5 (five) S (UC es) s (lc es)

a b c d e f g h i j k l m n o p q r s t u v w x y z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 0 1 2 3 4 5 6 7 8 9

Prerequisites

It is assumed you have already installed CentOS with networking enabled and, although not mandatory but advised, configured a static IP.

Disable SELINUX

I haven’t tried installing with selinux enabled so I don’t know if this is necessary but I think phpldapadmin won’t work properly otherwise.

nano /etc/sysconfig/selinux
SELINUX=disabled

After the next step, you are told to reboot but if you can’t, you can run setenforce 0 to disable selinux until you can.

Configure Firewall

Make sure you add any other rules not listed here which you are using.

nano /etc/sysconfig/iptables

Change -s 192.168.0.0/16 to your own network

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 389 -j ACCEPT -s 192.168.0.0/16
-A INPUT -m state --state NEW -m tcp -p tcp --dport 636 -j ACCEPT -s 192.168.0.0/16
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

In the next step, you are told to reboot but if you can’t, you can run service iptables restart instead.

Reboot System

reboot

Confirm configuration

iptables -L
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:http
ACCEPT     tcp  --  192.168.0.0/16       anywhere            state NEW tcp dpt:ldap
ACCEPT     tcp  --  192.168.0.0/16       anywhere            state NEW tcp dpt:ldaps
sestatus
SELinux status:                 disabled
yum repolist
base                                         CentOS-6 - Base
extras                                       CentOS-6 - Extras
updates                                      CentOS-6 - Updates

If you’re not using a fresh install, you may have additional repos, I haven’t tested with others so I don’t know the implications. Please see If Not True Then False for instructions on how to remove repositories.

Install and Configure OpenLDAP

Install OpenLDAP

yum install -y openldap-servers openldap-clients

Wait for it to finish before proceeding

Enable logging

mkdir /var/log/slapd chmod 755 /var/log/slapd/ chown ldap:ldap /var/log/slapd/ sed -i «/local4.*/d» /etc/rsyslog.conf cat >> /etc/rsyslog.conf << EOF local4.* /var/log/slapd/slapd.log EOF service rsyslog restart

Create Certificate

cd /etc/pki/tls/certs make slapd.pem

The following is just an example. You should enter your own responses.

Country Name (2 letter code) [XX]:GB
State or Province Name (full name) []:Isle of Man
Locality Name (eg, city) [Default City]:Colby
Organization Name (eg, company) [Default Company Ltd]:ITManx Ltd
Organizational Unit Name (eg, section) []:ICT
Common Name (eg, your name or your server's hostname) []:itmanx.com
Email Address []:support@itmanx.com

You can run openssl x509 -in slapd.pem -noout -text to view the certificate.

chmod 640 slapd.pem chown :ldap slapd.pem ln -s /etc/pki/tls/certs/slapd.pem /etc/openldap/certs/slapd.pem

Generate LDAP Manager password

slappasswd

This function will return a string in the format {SSHA}********************* which you will need in a following step, so copy it when it appears.

New password: ******
Re-enter new password: ******
{SSHA}qK4HQqJXV97FFJI4vYDxqR5NRlpC+5Tn

Copy example files

cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

Update slapd config file

nano /etc/openldap/slapd.conf
  1. Find and replace all dc=my-domain to your own domain.
  2. Find and replace the following three lines
    TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
    TLSCertificateFile /etc/pki/tls/certs/slapd.pem
    TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem
    
  3. Search for rootpw and add the {SSHA}********************* you copied earlier, ensuring all other rootpw are commented out
    # rootpw                secret
    # rootpw                {crypt}ijFYNcSNctBYg
    rootpw                  {SSHA}xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    

Enable SSL over LDAP

nano /etc/sysconfig/ldap
SLAPD_LDAPS=yes

Update ldap config file

nano /etc/openldap/ldap.conf

The dc=my-domain,dc=com should be the same that you set in /etc/openldap/slapd.conf

BASE dc=my-domain,dc=com
URI ldap://localhost
TLS_REQCERT never       #this line probably won't exist so add it to the bottom

Create initial LDAP structure

nano /root/root.ldif

The dc=my-domain,dc=com should be the same that you set in /etc/openldap/slapd.conf

dn: dc=my-domain,dc=com
dc: my-domain
objectClass: dcObject
objectClass: organizationalUnit
ou: my-domain.com

dn: ou=people,dc=my-domain,dc=com
ou: people
objectClass: organizationalUnit

dn: ou=groups,dc=my-domain,dc=com
ou: groups
objectClass: organizationalUnit
rm -rf /etc/openldap/slapd.d/* slapadd -v -n 2 -l /root/root.ldif
chown -R ldap:ldap /var/lib/ldap chown -R ldap:ldap /etc/openldap/slapd.d

Test LDAP config

rm -rf /etc/openldap/slapd.d/* slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d chown -R ldap:ldap /etc/openldap/slapd.d

Setup SLAPD service

chkconfig —level 235 slapd on service slapd start

Test LDAP

ldapsearch -x -ZZ -h localhost ldapsearch -x -H ldaps://localhost

Example of the returned results. The second test should produce same results but with search: 2

# extended LDIF
#
# LDAPv3
# base <dc=my-domain,dc=com> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# my-domain.com
dn: dc=my-domain,dc=com
dc: my-domain
objectClass: dcObject
objectClass: organizationalUnit
ou: my-domain.com

# people, my-domain.com
dn: ou=people,dc=my-domain,dc=com
ou: people
objectClass: organizationalUnit

# groups, my-domain.com
dn: ou=groups,dc=my-domain,dc=com
ou: groups
objectClass: organizationalUnit

# search result
search: 3
result: 0 Success

# numResponses: 4
# numEntries: 3

Name Service Switch

[Further reading]

nano /etc/nsswitch.conf hosts: ldap files dns

Install and Configure phpLDAPadmin

Add EPEL repository

rpm -ivh http://mirrors.ukfast.co.uk/sites/dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm

Install phpLDAPadmin

yum install -y phpldapadmin

Allow access from your network

nano /etc/httpd/conf.d/phpldapadmin.conf

Change 192.168.0 to your own network

Order Deny,Allow
Deny from all
Allow from 127.0.0.1
Allow from ::1
Allow from 192.168.0

Disable automatic login mechanism

nano /etc/phpldapadmin/config.php

Comment out the following (line 398)

//$servers->setValue('login','attr','uid');

Setup HTTPD service

chkconfig httpd on service httpd start

Log in to phpLDAPadmin

http://webserver/ldapadmin
un: cn=Manager,dc=my-domain,dc=com
pw: (Password you entered in slappasswd earlier)

Monitoring SLAPD

tail -f /var/log/slapd/slapd.log